a punctured programming approach to adaptively … · a punctured programming approach to...

A Punctured Programming Approach to Adaptively Secure

Functional Encryption

Brent Waters∗

University of Texas at [email protected]

Abstract

We propose the first construction for achieving adaptively secure functional encryption (FE) for poly-sized circuits (without complexity leveraging) from indistinguishability obfuscation (iO). Our reductionhas polynomial loss to the underlying primitives. We develop a “punctured programming” approach toconstructing and proving systems where outside of obfuscation we rely only on primitives realizable frompseudo random generators.

Our work consists of two constructions. Our first FE construction is provably secure against anyattacker that is limited to making all of its private key queries after it sees the challenge ciphertext.(This notion implies selective security.) Our construction makes use of an we introduce called puncturabledeterministic encryption (PDE) which may be of independent. With this primitive in place we show asimple construction FE construction.

We then provide a second construction that achieves adaptive security from indistinguishability ob-fuscation. Our central idea is to achieve an adaptively secure functional encryption by bootstrappingfrom a one-bounded FE scheme that is adaptively secure. By using bootstrapping we can use“selective-ish” techniques at the outer level obfuscation level and push down the challenge of dealing with adaptivesecurity is then FE scheme, where it has been already been solved. We combine our bootstrappingframework with a new “key signaling” technique to achieve our construction and proof.

∗Brent Waters is supported by NSF CNS-0915361 and CNS-0952692, CNS-1228599 DARPA through the U.S. Office ofNaval Research under Contract N00014-11-1-0382, DARPA N11AP20006, Google Faculty Research award, the Alfred P. SloanFellowship, Microsoft Faculty Fellowship, and Packard Foundation Fellowship.

1 Introduction

In traditional encryption systems a message, m, is encrypted with a particular user’s public key PK. Later auser that holds the corresponding secret key will be able to decrypt the ciphertext and learn the contents ofthe message. At the same time any computationally bounded attacker will be unable to get any additionalinformation on the message.

While this communication paradigm is appropriate for many scenarios such as targeted sharing betweenusers, there exist many applications that demand a more nuanced approach to sharing encrypted data. Forexample, suppose that an organization encrypts video surveillance images and stores these ciphertexts in alarge online database. Later, we would like to give an analyst the ability to view all images that match aparticular pattern such as ones that include a facial image that pattern matches with a particular individual.In a traditional encryptions system we would be forced to either give the analyst the secret key enablingthem to view everything or give them nothing and no help at all.

The concept of functional encryption (FE) was proposed to move beyond this all or nothing view ofdecryption. In a functional encryption system a secret key SKf is associated with a function f . Whena user attempts to decrypt a ciphertext CT encrypted for message m with secret key SKf , he will learnf(m). The security of functional encryption states that an attacker that receives keys for any polynomialnumber of functions f1, . . . , fQ should not be able to distinguish between an encryption of m0,m1 as longas ∀i fi(m0) = fi(m1).

The concept of functional encryption first appeared under the guise of predicate encryption [BW07,KSW08] with the nomenclature later being updated[SW08, BSW11] to functional encryption. In addition,functional encryption has early roots in Attribute-Based Encryption [SW05] and searching on encrypteddata [BCOP04].

A central challenge is to achieve functional encryption for as expressive functionality classes as pos-sible — ideally one would like to achieve it for any poly-time computable function. Until recently, thebest available was roughly limited to the inner product functionality proposed by Katz, Sahai, and Wa-ters [KSW08]. This state of affairs changed dramatically with the introduction of a candidate indistin-guishability obfuscation [BGI+12] system for all poly-size circuits by Garg, Gentry, Halevi, Raykova, Sahai,and Waters [GGH+13] (GGHRSW). The authors showed that a functional encryption system for any poly-sized circuits can be built from an indistinguishability obfuscator plus public key encryption and statisticallysimulation sound non-interactive zero knowledge proofs.

Thinking of Adaptive Security While the jump from inner product functionality to any poly-sizecircuit is quite significant, one limitation of the GGHRSW functional encryption system is that it only offers aselective proof of security where the attacker must declare the challenge messages before seeing the parametersof the FE system. Subsequently, Boyle, Chung and Pass [BCP14] proposed an FE construction based on anobfuscator that is differing inputs secure. We briefly recall that an obfuscator O is indistinguishability secureif it is computationally difficult for an attacker to distinguish between obfuscations O(C0) and O(C1) for anytwo (similar sized) circuits that are functionally equivalent (i.e. ∀x C0(x) = C1(x)). Recall, that differinginputs [BCP14, ABG+13] security allows for an attacker to use circuits C0 and C1 that are not functionallyequivalent, but requires that for any PPT attacker that distinguishes between obfuscations of the two circuitsthere must a PPT extraction algorithm that finds some x such that C0(x) 6= C1(x). Thus, differing inputsobfuscation is in a qualitatively different class of “knowledge definitions”. Furthermore, there is significantevidence [GGHW14] that there exist certain functionalities with auxiliary input that are impossible to buildobfuscate under the differing inputs definition.

Our goal is to build adaptively secure functional encryption systems from indistinguishability obfusca-tion. We require that our reductions have polynomial loss of security relative to the underlying primitives.(In particular, we want to avoid the folklore complexity leveraging transformation of simply guessing thechallenge messages with an exponential loss.) In addition, we want to take a minimalist approach to theprimitives we utilize outside of obfuscation. In particular, we wish to avoid the use of additional “strongtools” such as non-interactive zero knowledge proofs or additional assumptions over algebraic groups. We

1

note that our focus is on indistinguishability notions of functional encryption as opposed to simulationdefinitions [BSW11, O’N10].

Our Results In this work we propose two new constructions for achieving secure functional encryption (forpoly-sized circuits) from indistinguishability obfuscation. We develop a “punctured programming” approach[SW14] to constructing and proving systems where our main tools in addition to obfuscation are a selectivelysecure puncturable pseudo random functions. We emphasize puncturable PRFs are themselves constructiblefrom pseudo random generators [GGM84, BW13, BGI13, KPTZ13].

We start toward our FE construction which is provably secure against any attacker that is limited tomaking all of its private key queries after it sees the challenge ciphertext.1 While this is attacker is stillrestricted relative to a fully adaptive attacker, we observe that such a definition is already stronger than thecommonly used selective restriction.

To build our system we first introduce an abstraction that we call puncturable deterministic encryp-tion (PDE). The main purpose of this abstraction is to serve in some places as a slightly higher leveland more convenient abstraction to work with than puncturable PRFs. A PDE system is a symmetrickey and deterministic encryption scheme and consists of four algorithms: SetupPDE(1λ),EncryptPDE(K,m),DecryptPDE(K,CT), and PuncturePDE(K,m0,m1). The first three algorithms have the usual correctness se-mantics. The fourth puncture algorithm takes as input a master key and two messages (m0,m1) and outputsa punctured key that can decrypt all ciphertexts except for those encrypted for either of the two messages— recall encryption is deterministic so there are only two such ciphertexts. The security property of PDEis stated as a game where the attacker gives two messages (m0,m1) to the attacker and then returns backa punctured key as well as two ciphertexts, one encrypted under each message. In a secure system no PPTattacker will be able to distinguish which ciphertext is associated with which message.

Our PDE encryption mechanism is rather simple and is derived from the hidden trigger mechanism fromthe Sahai-Waters [SW14] deniable encryption scheme. PDE Ciphertexts are of the form:

CT = (A = F1(K1,m), B = F2(K2, A)⊕m).

where F1 and F2 are puncturable pseudo random functions, with F1 being an injective function. Decryptionrequires first computing m′ = B ⊕ F2(K2, A) and then checking that F1(K1,m

′) = A. 2

With this tool in place we are now ready to describe our first construction. The setup algorithm willfirst choose a puncturable PRF key K for function F . Next, it will create the public parameters PP as anobfuscation of a program called InitialEncrypt. The InitialEncrypt program will take in randomnessr and compute a tag t = PRG(r). Then it will output t and a PDE key k that is derived from F (K, t). Theencryption algorithm can use this obfuscated program to encrypt as follows. It will simply choose a randomvalue r ∈ {0, 1}λ, where λ is the security parameter. It then runs the obfuscated program on r to receive(t, k) and then creates the ciphertext CT as (t, c = EncryptPDE(k,m)).

The secret key SKf for a function f will be created as an obfuscated program. This program will takeas input a ciphertext CT = (t, c). The program first computes k from F (K, t), then uses k to decrypt c toa message m and outputs f(m). The decryption algorithm is simply to run the obfuscated program on theciphertext.

The proof of security of our first system follows what we can a “key-programming” approach. The highlevel idea is that for each key we will hardwire in the decryption response into each secret key obfuscatedprogram for when the input is the challenge ciphertext. For all other inputs the key computes decryptionnormally. Our key-programming approach is enabled by two important factors. First, in the security gamethere is a single challenge ciphertext so only one hardwiring needs to be done per key. Second, since allqueries come after the challenge messages (m0,m1) are declared we will know where we need to punctureto create our hardwiring.

1This model has been called semi-adaptive in other contexts [CW14].2Despite sharing the term deterministic, our security definition of PDEs does not have much in common with deterministic

encryption [BFO08, BFOR08] which has a central goal of hiding information among message distributions of high entropy.

2

Intuitively, our proof can be broken down into two high level steps. First, we will perform a set of stepsthat allow us to hardwire the decryption answers to all of the secret keys for the challenge ciphertext. Next,we use PDE security to move from encrypting mb for challenge bit b ∈ {0, 1} to always encrypting m0—independent of the bit b. (The actual proof of Section 5 contains multiple hybrids and is more intricate.)

Handling Full Security We now move to dealing with full security where we need to handle privatekey queries on both sides of the challenge ciphertext. At this point it is clear that relying only on key-programming will not suffice. First, a pre-challenge ciphertext key for function f will need to be createdbefore the challenge messages (m0,m1) are declared, so it will not even be known at key creation time whatf(m0) = f(m1) will be.

Our central idea is to achieve an adaptively secure functional encryption by bootstrapping from a one-bounded FE scheme that is adaptively secure. At a high level a ciphertext is associated with a tag t and aprivate key with a tag y. From the pair of tags (t, y) one can (with the proper key material) pseudorandomlyderive a master secret key k for a one bounded FE system. The ciphertext will be equipped with an obfuscatedprogram, C, which on input of a key tag y will generate the one bounded key k (associated with the pair(t, y)) and then uses this to create an encryption of the message m under the one-bounded scheme with keyk. Likewise, the private key for functionality f comes equipped with an obfuscated program Pf which oninput of a ciphertext tag t derives the one bounded secret key k and uses this to create a one-bounded secretkey.

The decryption algorithm will pass the key tag y to the ciphertext program to get a one boundedciphertext CTOB and the ciphertext tag t to the key program to get a one bound key SKOB. Finally, it willapply the one bounded decryption algorithm as DecryptOB(CTOB,SKOB) to learn the message m. The onebounded key and ciphertext are compatible since they are both derived psuedorandomly from the pair (t, y)to get same one-bounded key k. (Note a different pair (t′, y′) 6= (t, y) corresponds to a different one boundedFE key k′ with high probability.)

Our bootstrapping proof structure allows us to develop “selective-ish” techniques at the outer level since inour reductions the ciphertext and private key tags can be chosen randomly ahead of time before the challengemessage or any private key queries are known. Then the challenge of dealing with adaptive security is then“pushed down” to the one bounded FE scheme, where it has been solved in previous work [GVW12].

In the description above we have so far omitted one critical ingredient. In addition to generating a onebounded secret key on input t, the program Pf on input t will also generate an encrypted signal a that ispassed along with the tag y to the ciphertext program C on decryption to let it know that it is “okay” togenerate the one-bounded ciphertext for the pair (t, y). In the actual use of the system, this is the onlyfunctionality of the signal. However, looking ahead to our proof we will change the signal encrypted to tellthe program C to switch the message for which it generates one bounded encryption encryptions of.

Our proof replaces key programming with a method we call “key-signaling”. In a key-signaling systema normal ciphertext will be associated with a single message m which we refer to as an α-message. Thedecryption algorithm will use the secret key to prepare an α-signal for the ciphertext which will enablenormal decryption. However, the ciphertext can also have a second form in which it is associated with twomessages mα and mβ . The underlying semantics are that if it receives an α-signal it uses mα and if itreceives a β-signal it uses mβ .

These added semantics open up new strategy for proving security. In the initial security game thechallenge ciphertext encrypts mb for challenge bit b. It will only receive α-signals from keys. Next we(indistinguishably) move the challenge ciphertext to encrypt mb as the α-message and m0 as the β-message.All keys still send only α-signals. Now one by one we change each key to send an β-signal to the challengeciphertext as opposed to an α-signal. This step is feasible since for any queried function f we must havethat f(mb) = f(m0). Finally, we are able to erase the message mb since no key is signaling for it.

Stepping back we can see that instead of storing the response of decryption for the challenge ciphertextat each key, we are storing the fact that it is using the second message in decryption.

We note that we can instantiate the one-bounded system using the construction of Gorbunov, Vaikun-tanathan and Wee [GVW12] (GVW) who proved adaptive security of a public key FE 1-bounded scheme

3

from IND-CPA secure public key encryption. Since we actually only need master key encryption, we observethat this can be achieved from IND-CPA symmetric key encryption. Thus, we maintain our goal of not usingheavy weight primitives outside of obfuscation. One important fact is that the GVW scheme is proven to be1-bounded adaptively secure regardless of whether the private key query comes before or after the challengeciphertext. We note that the GVW system actually allows for a single key, but many ciphertexts; however,we only require security for a single ciphertext.

The actual proof of security requires several hybrid steps and we defer further details to Section 6.

Recent Work Recently, Garg, Gentry, Halevi, and Zhandry [GGHZ14a] showed how to realize adaptivelysecure Attribute-Based Encryption from multilinear graded encodings. It is based on U-graded encodings.

Subsequent to both of these works, the same authors [GGHZ14b] gave a construction of FunctionalEncryption from multilinear encodings. This construction required a new multilinear encoding functionalityof allowing the “encoding grades” to be dynamically extended by any party using just the public parameters.Their scheme crucially leverages this capability and is also reflected in the assumption.

There are different tradeoffs between and pure indistinguishability obfuscation approach and that used in[GGHZ14b]. On one hand the approach of [GGHZ14b] allows one to directly get to mutlilinear encodings.On the other hand the novel use of extensions of grades both gives a novel technical idea, but possibly presentsnew risks. For example, there has been a flurry of recent activity consisting of attacks and responses to certaincandidate constructions and assumptions of multilinear enocdings [CHL+14, BWZ14, GHMS14, CLT14].

If one reduces to indistinguishability obfuscation, it can potentially be realized from different typesof assumptions, including different forms of multilinear encodings or potentially entirely different numbertheory. An interesting open question is whether indistinguishability obfuscation or some close variant of itcan be reduced to a basic number theoretic assumption that does not rely on sub exponential hardness. Oneinteresting variant of this direction is to consider different variations of iO that are more amenable to suchproofs, but can be leveraged in similar ways.

Bootstrapping with a Flipped One-time FE Scheme More recently, Ananth, Brakerski, Segev andVaikuntanathan [ABSV14] showed an eloquent adaptation of our technique of bootstrapping from an adap-tive 1-bounded scheme. Instead of starting with the 1-bounded FE scheme of GVW, they use a simpletransformation on GVW due Brakerski and Segev[BS14] and applying universal circuits to create a flippedversion of it. While the GVW scheme we used can handle a single key and many ciphertexts, the flippedversion does the opposite. It can handle multiple keys, but only generating one ciphertext (this is done withsecret key encryption).

They go on to show that using the flipped version of one-bounded FE for bootstrapping enables simplifi-cations in the construction and proof. Instead of having attaching an obfuscated program to the ciphertextto generate one-bounded ciphertexts, the composite ciphertext contains a single 1-bounded ciphertext. Inaddition, it has a separate (“trojan”) component that allows for transmitting the 1-bounded secret key usedcreate a ciphertext to a program on the key side. Taken together the flipping and the trojan transmissionallow for the private key to consist of a selectively secure functional encryption system.

2 Preliminaries

In this section, we define indistinguishability obfuscation, and puncturable pseudo random functions (PRFs).All the variants of PRFs that we consider can be constructed from one-way functions.

2.1 Indistinguishability Obfuscation and PRFs

The definition of indistinguishability obfuscation below is adapted from [GGH+13]; following [KSW14] themain difference with previous definitions is that we uncouple the security parameter from the circuit size bydirectly defining indistinguishability obfuscation for all circuits:

4

Definition 1 (Indistinguishability Obfuscator (iO)). A uniform PPT machine iO is called an indistinguisha-bility obfuscator for circuits if the following conditions are satisfied:

• For all security parameters λ ∈ N, for all circuits C, for all inputs x, we have that

Pr[C ′(x) = C(x) : C ′ ← iO(λ,C)] = 1

• For any (not necessarily uniform) PPT adversaries Samp, D, there exists a negligible function α suchthat the following holds: if Pr[|C0| = |C1| and ∀x,C0(x) = C1(x) : (C0, C1, σ)← Samp(1λ)] > 1−α(λ),then we have:

∣∣∣Pr[D(σ, iO(λ,C0)) = 1 : (C0, C1, σ)← Samp(1λ)

]−Pr

[D(σ, iO(λ,C1)) = 1 : (C0, C1, σ)← Samp(1λ)

]∣∣∣ ≤ α(λ)

Such indistinguishability obfuscators for circuits were constructed under novel algebraic hardness as-sumptions in [GGH+13].

2.2 Puncturable PRFs

Puncturable PRFs were defined by Sahai and Waters [SW14] as a simple type of constrained PRF [BW13,BGI13, KPTZ13]. They define a puncturable PRFs as a PRF for which a key can be given out that allowsevaluation of the PRF on all inputs, except for a designated polynomial-size set of inputs.

Definition 2. A puncturable family of PRFs F mapping is given by a triple of Turing Machines (KeyF ,PunctureF , and EvalF ), and a pair of computable functions n(·) and m(·), satisfying the following conditions:

• [Functionality preserved under puncturing] For every PPT adversary A such that A(1λ) outputsa set S ⊆ {0, 1}n(λ), then for all x ∈ {0, 1}n(λ) where x /∈ S, we have that:

Pr[EvalF (K,x) = EvalF (KS , x) : K ← KeyF (1λ),KS = PunctureF (K,S)

]= 1

• [Pseudorandom at punctured points] For every PPT adversary (A1, A2) such that A1(1λ) out-puts a set S ⊆ {0, 1}n(λ) and state σ, consider an experiment where K ← KeyF (1λ) and KS =PunctureF (K,S). Then we have∣∣∣Pr

[A2(σ,KS , S,EvalF (K,S)) = 1

]− Pr

[A2(σ,KS , S, Um(λ)·|S|) = 1

]∣∣∣ = negl(λ)

where EvalF (K,S) denotes the concatenation of EvalF (K,x1)), . . . ,EvalF (K,xk)) where S = {x1, . . . , xk}is the enumeration of the elements of S in lexicographic order, negl(·) is a negligible function, and U`denotes the uniform distribution over ` bits.

For ease of notation, we write F (K,x) to represent EvalF (K,x). We also represent the punctured keyPunctureF (K,S) by K(S).

The GGM tree-based construction of PRFs [GGM84] from one-way functions are easily seen to yieldpuncturable PRFs where the punctured size sizes are polynomial in the size of the set S, as recently observedby [BW13, BGI13, KPTZ13]. Thus we have:

Theorem 1. [GGM84, BW13, BGI13, KPTZ13] If one-way functions exist, then for all efficiently computablefunctions n(λ) and m(λ), there exists a puncturable PRF family that maps n(λ) bits to m(λ) bits.

Next we consider families of PRFs that are with high probability injective using the definition:

5

Definition 3. A statistically injective (puncturable) PRF family with failure probability ε(·) is a family of(puncturable) PRFs F such that with probability 1 − ε(λ) over the random choice of key K ← KeyF (1λ),we have that F (K, ·) is injective.

If the failure probability function ε(·) is not specified, then ε(·) is a negligible function.

Theorem 2. If one-way functions exist, then for all efficiently computable functions n(λ), m(λ), and e(λ)such that m(λ) ≥ 2n(λ) + e(λ), there exists a puncturable statistically injective PRF family with failureprobability 2−e(λ) that maps n(λ) bits to m(λ) bits.

The proof of this theorem is contained in Sahai-Waters [SW14].

Sampling Master Keys At times instead of running the KeyF (1λ) algorithm to generate the masterkey for a puncturable PRF we will generate the master key by simply sampling a uniformly random stringK ∈ {0, 1}λ where λ is the security parameter. We argue that we can do this without loss of generality. First,suppose there exists a puncturable PRF system as defined above. Then we can create another puncturablePRF system which uses the random coins, r used in KeyF (1λ; r) as the master secret key. Since the originalmaster secret key can be generated from these coins, we can adapt the algorithms to use r as the mastersecret key — any algorithm that needs to use the original master key K will simply first generate it bycalling KeyF (1λ; r). Second, suppose there is an algorithm that chooses a master secret key as a randomstring of length z > λ. Then we can always create another puncturable PRF system with length λ secretkeys that simply using a pseudo random generator to expand the key from λ to z bits.

The above transformations are standard observations used in cryptography. We mention this here sincein our constructions we will often sample a directly as a random string instead of going through the processof picking randomness and then generating a key from the randomness. The reason is simply to cut downon the number of steps we need in our exposition.

3 Functional Encryption

Our syntax for functional encryption roughly follows in the line of Boneh-Sahai-Waters [BSW11] except wespecialize our notation for the case where the private key is a function f and the ciphertext input is a messagem. This is without loss of generality when f can be any poly-sized circuit and thus includes a universalcircuit.

For security we use the indistinguishability notion, which was the first one considered for functionalencryption (as well as predicate encryption [BW07, KSW08]). De Caro et. al. [CJO+13] show how inthe random oracle model one can transform a system with indistinguishability secure into one with strongsimulation security.

Definition 4 (Functional Encryption). A functional encryption scheme for a class of functions F = F(λ)over message space M =M(λ) consists of four algorithms FE = {Setup,KeyGen,Encrypt,Decrypt}:

Setup(1λ) – a polynomial time algorithm that takes the unary representation of the security parameter λand outputs public parameters PP and a master secret key MSK.

KeyGen(MSK, f) – a polynomial time algorithm that takes as input the master secret key MSK and adescription of function f ∈ F and outputs a corresponding secret key SKf .

Encrypt(PP, x) – a polynomial time algorithm that takes the public parameters PP and a string x andoutputs a ciphertext CT.

Decrypt(SKf ,CT) – a polynomial time algorithm that takes a secret key SKf and ciphertext encryptingmessage m ∈M and outputs f(m).

A functional encryption scheme is correct for F if for all f ∈ F and all messages m ∈M:

Pr[ (PP,MSK)← Setup(1λ); Decrypt(KeyGen(MSK, f),Encrypt(PP,m)) 6= f(m) ] = negl(λ).

6

Indistinguishability Security for Functional Encryption

We describe indistinguishability security as a multi-phased game between an attacker A and a challenger.

Setup: The challengers runs (PP,MSK)← Setup(1λ) and gives PP to A.

Query Phase 1: A adaptively submits queries f in F and is given SKf ← KeyGen(MSK, f). This step canbe repeated any polynomial number of times by the attacker.

Challenge: A submits two messages m0,m1 ∈ M such that f(m0) = f(m1) for all functions f queried inthe key query phase. The challenger then samples CT∗ ← Encrypt(PP,mb) for the attacker.

Query Phase 2: A continues to issue key queries as before subject to the restriction that any f queriedmust satisfy f(m0) = f(m1).

Guess: A eventually outputs a bit b′ in {0, 1}.

The advantage of an algorithm A in this game is AdvA = Pr[b′ = b]− 12 .

Definition 5. A functional encryption scheme is indistinguishability secure if for all poly-timeA the functionAdvA(λ) is negligible.

Definition 6. In the above security game we define a post challenge ciphertext attacker as one that does notmake any key queries in Phase 1. We define a functional encryption scheme to be post challenge ciphertextindistinguishability secure if for any poly-time algorithm A that is a post challenge ciphertext attacker theadvantage of A is negligible in the indistinguishability security game.

Remark 1. We remark that any system that is post challenge ciphertext secure must also be selectivelysecure. Recall that a selective attacker is required to give the challenge messages m0,m1 before seeing theparameters and then can make as many queries as desired. We first observe that if there exists a selectiveattacker on a system that makes both Phase 1 and Phase 2 queries, then there exists a selective attackerthat makes only Phase 2 queries. Intuitively, even though a selective attacker it can then make both Phase 1and Phase 2 queries, the abilitiy to make Phase 1 queries does not provide any additional leverage (over onlymaking Phase 2 queries) since the selective committed to the challenge messages. With this observation inmind we now see that a post challenge ciphertext attacker has the same power except it has the additionalleverage in that it can delay its decision of what challenge messages to commit to until after seeing the publicparameters.

3.1 One Bounded FE schemes

In our main construction we will use as a building block adaptively secure one-bounded secure functionalencryption schemes. These are functional encryption schemes in which the attacker is allowed to make atmost one private key query. Gorbunov, Vaikuntanathan and Wee [GVW12] proved adaptive security of a1-bounded scheme from IND-CPA secure public key encryption. (They later use this to build k-boundedschemes for larger k.) Following Sahai and Seyalioglu [SS10], they base their construction off of Yao garbledcircuits [Yao82]. An important point is that the GVW 1-bounded security proof holds whether they keyquery comes before or after the challenge ciphertext.

For our purposes we will only need a one-bounded FE scheme with symmetric key (or master key)encryption. This is clearly implied by a public key FE scheme. In this security model an attacker will notbe given any public parameters, but can query an encryption oracle a polynomial number of times. Withoutloss of generality we will sometimes assume that the master secret key is chosen as a uniform string of λbits for security parameter λ. (See the previous section’s discussion on sampling master keys.) We observethat the 1-bounded GVW scheme can be based off of IND-CPA security of symmetric key encryption if theone-bounded FE scheme itself is only required to provide for master key encryption.

7

4 Puncturable Deterministic Encryption

In this section we define a primitive of puncturable deterministic encryption and show how to build it from(injective) puncturable PRFs. The main purpose of this abstraction is to give a slightly higher level tool(relative to puncturable PRFs) to work with in our punctured programming construction and proofs.

4.1 Definition

Definition 7 (Puncturable Deterministic Encryption). A puncturable deterministic encryption (PDE) schemeis defined over a message spaceM =M(λ) and consists of four algorithms: (possibly) randomized algorithmsSetupPDE, and PuncturePDE along with deterministic algorithms EncryptPDE and DecryptPDE. All algorithmswill be poly-time in the security parameter.

SetupPDE(1λ) The setup algorithm takes a security parameter and uses its random coins to generate a keyK from a keyspace K.

EncryptPDE(K,m) The encrypt algorithm takes as input a key K and a message m. It outputs a ciphertextCT. The algorithm is deterministic.

DecryptPDE(K,CT) The decrypt algorithm takes as input a key K and ciphertext CT. It outputs either amessage m ∈M or a special reject symbol ⊥.

PuncturePDE(K,m0,m1) The puncture algorithm takes as input a key K ∈ K as well as two messagesm0,m1. It creates and outputs a new key K(m0,m1) ∈ K. The parentheses are used to syntacticallyindicate what is punctured.

Correctness A punctured deterministic encryption scheme is correct if there exists a negligible functionnegl such that the following holds for all λ and all pairs of messages m0,m1 ∈M(λ).

Let K = SetupPDE(1λ) and K(m0,m1)← PuncturePDE(K,m0,m1). Then for all m 6= m0,m1

Pr[DecryptPDE(K(m0,m1),EncryptPDE(K,m)) 6= m] = negl(λ).

In addition, we have that for all m (including m0,m1)

Pr[DecryptPDE(K,EncryptPDE(K,m)) 6= m] = negl(λ).

Definition 8. We say that a correct scheme is perfectly correct if the above probability is 0 and otherwisesay that it is statistically correct.

(Selective) Indistinguishability Security for Punctured Deterministic Encryption

We describe indistinguishability security as a multi-phased game between an attacker A and a challenger.

Setup: The attacker selects two messages m0,m1 ∈ M and sends these to the challenger. The challengerruns K = SetupPDE(1λ) and K(m0,m1) = PuncturePDE(K,m0,m1). It then chooses a random bitb ∈ {0, 1} and computes

T0 = EncryptPDE(K,mb), T1 = EncryptPDE(K,m1−b).

It gives the punctured key K(m0,m1) as well as T0, T1 to the attacker.

Guess: A outputs a bit b′ in {0, 1}.

The advantage of an algorithm A in this game is AdvA = Pr[b′ = b]− 12 .

8

Definition 9. A puncturable deterministic encryption scheme is indistinguishability secure if for all poly-time A the function AdvA(λ) is negligible.

One can also consider an adaptive game of security where the attacker can probe an encryption oracleon multiple messages before committing to m0,m1. However, we do not explore this further in this paper.

Remark 2. Our definition allows for a key to be punctured at two messages. One possibility is to extendthis abstraction to allow for puncturing at many messages (and likewise adapt the security game). However,we chose a narrower definition since it is simpler and sufficient to suit our purposes.

Sampling Master Keys At times instead of running the SetupPDE(1λ) algorithm to generate the masterkey for a puncturable PRF we will generate the master key by simply sampling a uniformly random stringk ∈ {0, 1}λ where λ is the security parameter. We can also do this without loss of generality from anargument similar to the one we gave for sampling puncturable PRF keys (see Section 2.2). Our motivationagain is to cut down on the description length of our primitives and proofs.

4.2 A Construction from Puncturable PRFs

We now describe our PDE construction which is derived from the mechanism used to implement “hiddentriggers” in the Sahai-Waters [SW14] deniable encryption system. The PDE scheme we provide is param-eterized over a security parameter λ and has message space M = M(λ) = {0, 1}λ. It makes use off twopuncturable PRF families. The first is a statistically injective puncturable PRF F1 that takes inputs fromλ bits to ` = `(λ) bits and the second F2 goes from ` bits to λ bits.

SetupPDE(1λ) The setup algorithm samples keys K1 ← KeyF1(1λ) and K1 ← KeyF2

(1λ).

EncryptPDE(K = (K1,K2),m) The encryption algorithm (deterministically) computes a ciphertext as:

CT = (A = F1(K1,m), B = F2(K2, A)⊕m).

DecryptPDE(K,CT = (A,B)) The decryption algorithm first computes m′ = F2(K2, A)⊕B. Next, it checks

if F1(K1,m′)

?= A. If so, it outputs m′, otherwise it outputs ⊥.

PuncturePDE(K,m0,m1) The algorithm computes dA = F1(K1,m0) and eA = F1(K1,m1). It setsK1(m0,m1) =PunctureF1(K, {m0,m1}) and K2(dA, eA) = PunctureF2(K, {dA, eA}). 3 The output PDE key isK(m0,m1) = (K1(m0,m1),K2(dA, eA)).

Correctness. Correctness holds in the case where K1 is sampled such that the function F (K1, ·) is injec-tive. For use of non-punctured keys, correctness follows from observation. The encryption and decryptionalgorithms can also be used on punctured keys . Here correctness will follow for key K(m0,m1) on allmessages m 6= m0,m1 as long as F1(K1,m) 6= F1(K1,m0) or F1(K1,m1). This bad event will not occur aslong as F (K1, ·) is injective.

4.2.1 Security

We sketch a proof of security via a sequence of hybrid games.

3We assume that the distribution of PunctureF1(K1, {m0,m1}) is the same as PunctureF1

(K1, {m1,m0}). This can beeasily achieved by treating the parameters in lexicographic or random order. (We also assume this for F2.)

9

Game 1

1. Attacker declares (m0,m1) and challenger samples K = (K1,K2).

2. Challenger computes dA = F1(K1,m0), eA = F1(K1,m0).

3. Challenger computes dB = F2(K2, dA), eB = F2(K2, eA).

4. Challenger outputs K(m0,m1) = (K1(m0,m1),K2(dA, eA)).

5. Challenge flips a coin b and outputs: Tb = (dA, dB ⊕m0) T1−b = (eA, eB ⊕m1).

6. Attacker guesses b′ and wins if b = b′.

Game 2Line 2. Challenger chooses random dA, eA.

By punctured PRF security no attacker can distinguish Game 1 and Game 2.

Game 3Line 3. Challenger chooses random dB , eB .

By punctured PRF security no attacker can distinguish Game 2 and Game 3.

However, we can now see that since dA, dB , eA, eB are all chosen uniformly at random in Game 3 we havethat T0, T1 information theoretically hide the bit b. This final information theoretic argument depends onthe fact that the distribution of PunctureF1

(K1, {m0,m1}) is the same as PunctureF1(K1, {m1,m0}).

5 A Post Challenge Ciphertext Secure Construction

We now describe our construction for a functional encryption (FE) scheme that is post challenge ciphertextsecure. We let the message space M =M(λ) = {0, 1}`(λ) for some polynomial function ` and the functionclass be F = F(λ).

We will use a puncturable PRF F (·, ·) such that when we fix the key K we have that F (K, ·) takesin a 2λ bit input and outputs λ bits. In addition, we use a puncturable deterministic encryption scheme(PDE) where the message space M is the same as that of the (FE) system. In our PDE systems master(non-punctured) keys are sampled uniformly at random from {0, 1}λ. Finally, we use an indistinguishabilitysecure obfuscator and a length doubling pseudo random generator PRG : {0, 1}λ → {0, 1}2λ.

Our Construction In our system the setup algorithm will produce an obfuscated program P that servesas the public parameters. Encryption proceeds in two steps. First the encryptor will choose a random stringr and run P (r). The obfuscated program will first use r to generate a tag t. Next the program will applya (puncturable) psuedorandom function on t with global key K to generate a PDE key k. The programoutputs both the tag t and PDE key k to the encryptor. Finally, the encryptor will use k to perform anencryption of the actual message m getting PDE ciphertext c. The (total) ciphertext CT consists of the tagt and c. Intuitively, the ciphertext component c is the “core encryption” of the message and the tag t tellshow one can derive the PDE key k (if one knows the system’s puncturable PRF key).

The authority generates a private key for function f as an obfuscated program Pf . To decrypt a ciphertextCT = (t, c) the decrypt or simply runs Pf (t, c). The obfuscated program will first generate the same PDEkey k that was used to encrypt the ciphertext

We make two intuitive remarks about security. First, we note that the system’s puncturable PRF key Konly appears in obfuscated programs and not in the clear. Second, it is not necessarily a problem perform thecore encryption of the message under a deterministic scheme. The reason is that the encryption procedureimplicitly chooses a fresh k so with high probability any single PDE key should only be used once. (Clearly,performing a deterministic encryption step more than once with the same key would be problematic.)

We now give our construction in detail.

10

Setup(1λ)The setup algorithm first chooses a random punctured PRF keyK ← KeyF (1λ) and sets this as the master se-cret key MSK. Next it creates an obfuscation of the program Initial-Encrypt as P ← iO(1λ, Initial-Encrypt:1[K]).4

(See Figure 1.) This obfuscated program, P , serves as the public parameters PP.

Encrypt(PP = P (·),m ∈M)The encryption algorithm chooses random r ∈ {0, 1}λ. It then runs the obfuscated program P on r to get:

(t, k)← P (r).

It then computes EncryptPDE(k,m) = c. The output ciphertext is CT = (t, c).

KeyGen(MSK, f ∈ F(λ)) The KeyGen algorithm produces an obfuscated program Pf by obfuscating

Pf ← iO(Key-Eval:1[K, f ]).5

Decrypt(CT = (t, c),SK = Pf ) The decryption algorithm takes as input a ciphertext CT and a secret keySK which is an obfuscated program Pf . It runs Pf (t, c) and outputs the response.

Correctness Correctness follows in a rather straightforward manner from the correctness of the underlyingprimitives. We briefly sketch the correctness argument. Suppose we call the encryption algorithm for messagem with randomness r. The obfuscated program generates (t, k) = (PRG(r), F (K, t)). Then it creates theciphertext CT = (t, c = EncryptPDE(k,m)). Now let’s examine what occurs when Decrypt(CT = (t, c),SKf =Pf ) is called where Pf was a secret key created from function f . The decryption algorithm calls Pf (t, c).The (obfuscated) program will compute the same PDE key k = F (K, t) as used to create the ciphertext.Then it will use the PDE decryption algorithm and obtain m. This follows via the correctness of the PDEscheme. Finally, it outputs f(m) which is the correct output.

Initial-Encrypt:1

Constants: Puncturable PRF key K.Input: Randomness r ∈ {0, 1}λ.

1. Let t = PRG(r).

2. Compute: k = F (K, t).

3. Output: (t, k).

Figure 1: Program Initial-Encrypt:1

Key-Eval:1

Constants: PRF key K, function description f ∈ F .Input: (t, c).

1. Compute: k = F (K, t).

2. Output f(DecryptPDE(k, c)). (If DecryptPDE(k, c) evaluates to ⊥ the program outputs ⊥.)

Figure 2: Program Key-Eval:1

4The program Initial-Encrypt:1 is padded to be the same size as Initial-Encrypt:2.5The program Key-Eval:1 (of Figure 2) is padded to be the same size as Key-Eval:2.

11

5.1 Proof of Security

Before delving into our formal security proof we give a brief overview with some intuition. In our systema challenge ciphetext CT∗ will be a pair (t∗, c∗) of a tag and PDE ciphertext. The first step of our proofis to use pseudorandom generator security to (indetectably) move t∗ out of the set of tags T that might begenerated from the program P . (Note the set T corresponds to the possible outputs of the pseudorandomgenerator.) This then enables us to perform multiple puncturing and hardwiring steps detailed below.Eventually, instead deriving the PDE key k∗ as F (K, t∗), it will be chosen uniformly at random. (Here k∗

is the PDE key used in creating the challenge ciphertext.)Furthermore, instead of putting the PDE key k∗ into the obfuscated programs given out as keys we will

put a punctured version k′. This punctured version is can decrypt all ciphertexts except it cannot tell thedifference between a PDE encryption of the challenge message m0 from m1. However, by the rules of thesecurity game it must be the case that the bit df = f(m0) = f(m1) for any queried private key function f .Therefore, an obfuscated program for private key f can output df when either of the two PDE ciphertextsarises without knowing which one is which. We note that the reduction knows which messages (m0,m1) topuncture the PDE key k at since in this security game all keys are given out after the challenge ciphertextis generated.

Finally, at this stage we can simply apply the PDE security game to argue that the message is hidden.We note that the first steps of the proof have similarities to prior programming puncturing proofs [SW14],but we believe the introduction of and the way we utilize puncturable deterministic encryption are novel tothis construction. Our formal proof follows.

Theorem 3. The above functional encryption scheme is post challenge ciphertext secure if it is instantiatedwith a secure punctured PRF, puncturable deterministic encryption scheme, pseudo random generator, andindistinguishability secure obfuscator.

Proof. To prove the above theorem, we first define a sequence of games where the first game is the originalFE security game. Then we show (based on the security of different primitives) that any poly-time attacker’sadvantage in each game must be negligibly close to that of the previous game. We begin by with describingGame 1 in detail, which is the (post challenge ciphertext) FE security game instantiated with our construc-tion. From there we describe the sequence of games where each game is described by its modification fromthe previous game. We continue to enumerate each step in every game in order to ease verification of ourlemmas.

Game 1 The first game is the original security game instantiated for our construction.

1. Challenger computes K ← KeyF (1λ) and randomly chooses the challenge bit b ∈ {0, 1}.

2. Challenger chooses random r∗ ∈ {0, 1}λ and computes t∗ = PRG(r∗).

3. Challenger creates P ← iO(1λ, Initial-Encrypt:1[K]) and passes P to attacker.

4. Attacker gives messages m0,m1 ∈M to challenger. (No Phase 1 queries.)

5. Challenger computes k∗ ← F (K, t∗).

6. Challenger computes c∗ ← EncryptPDE(k∗,mb) and outputs challenge ciphertext as CT∗ = (t∗, c∗).

7. On attacker key query for function f ∈ F the challenger responds with Pf ← iO(Key-Eval:1[K, f ]).

8. The attacker gives a bit b′ and wins if b′ = b.

12

Game 2


2. Challenger chooses random t∗ ∈ {0, 1}2λ.







Game 3 Parameters program is now punctured at t∗.


2. Challenger chooses random t∗ ∈ {0, 1}2λ and computes computes K(t∗) = PunctureF (K, t∗).

3. Challenger creates P ← iO(1λ, Initial-Encrypt:2[K(t∗)]) and passes P to attacker.






Game 4 Obfuscated programs in secret keys are punctured and hardwired.







7. Let k′ = PuncturePDE(k∗,m0,m1). Let c′0 = EncryptPDE(k∗,m0) and let c′1 = EncryptPDE(k∗,m1). Thenlet c0, c1 consist of c′0, c

′1 in lexicographic order.6 Consider each attacker key query for function f ∈ F .

Let df = f(m0) = f(m1). The challenger responds with Pf ← iO(Key-Eval:2[K(t∗), t∗, f, c0, c1, df , k′]).


Remark 3. We remark that the lexicographic ordering is so that the to put the ciphertexts in the programis based on the form of the ciphertext and not (directly) on the messages they encode.7 This property willbe important later for arguing security from Game 5 to Game 6.

6If c′0 < c′1 then c0 = c′0, c1 = c′1; otherwise, c0 = c′1, c1 = c′0.7Another alternative would be to put the ciphertexts in random order (as we did in an earlier version of this work).

13

Game 5





5. Challenger chooses random k∗ ∈ {0, 1}λ.



′1 in lexicographic order. Consider each attacker key query for function f ∈ F .



Game 6


2. Challenger chooses random t∗ ∈ {0, 1}2λcomputes computes K(t∗) = PunctureF (K, t∗).



5. Challenger chooses random k∗ ∈ {0, 1}λ.

6. Challenger computes c∗ ← EncryptPDE(k∗,m0) and outputs challenge ciphertext as CT∗ = (t∗, c∗).


′1 in lexicographic order. Consider each attacker key query for function f ∈ F .



We observe that in this final game the attacker has no information on the challenger’s bit b since thegame always just encrypts m0.

Initial-Encrypt:2

Constants: Punctured PRF key K(t∗).Input: Randomness r ∈ {0, 1}λ.

1. Let t = PRG(r).

2. Compute: k = F (K(t∗), t).

3. Output: (t, k).


We now move to establishing the lemmas that argue the attacker’s advantage must be negligibly closebetween successive games. We let AdvA,i denote the advantage of algorithm A in Game i of guessing the bitb.

14

Key-Eval:2

Constants: PRF key K(t∗), tag value t∗ ∈ {0, 1}2λ, function description f ∈ F , PDE ciphertexts c0, c1,df ∈ {0, 1}, and punctured deterministic encryption key k′ = kt∗(m0,m1).Input: (t, c).

1. If t = t∗ AND c 6= c0, c1 output f(DecryptPDE(k′, c)).

2. If t = t∗ AND (c = c0 OR c = c1) output df .

3. Otherwise compute: k = F (K, t).

4. Output f(DecryptPDE(k, c)).

Figure 4: Program Key-Eval:2

Lemma 1. If our pseudo random generator PRG is secure then for all PPTA we have that AdvA,1−AdvA,2 =negl(λ) for some negligible function negl.

Proof. We describe and analyze a PPT reduction algorithm B that plays the pseudo random generatorsecurity game. B first receives a PRG game challenge T ∈ {0, 1}2λ. It then runs the attacker and executesthe security game as described in Game 1 with the exception that in Step 2 it lets t∗ = T . If the attackerwins (i.e. b′ = b), then B guesses ‘1’ to indicated that T was in the image of a PRG; otherwise, it outputs‘0’ to indicate that T was chosen randomly.

We observe that when T is generated as T = PRG(r), then B gives exactly the view of Game 1 to A.Otherwise if T is chosen randomly the view is of Game 2. Therefore if AdvA,1 − AdvA,2 is non-negligble, Bmust also have non-negligible advantage against the pseudo random generator security game.

Lemma 2. If iO is a secure indistinguishability obfuscator, then for all PPT A we have that AdvA,2 −AdvA,3 = negl(λ) for some negligible function negl.

Proof. We describe and analyze a PPT reduction algorithm B that plays the indistinguishability obfus-cation security game with A. B runs steps 1-2 as in Game 2. Next it creates two circuits as C0 =Initial-Encrypt:1[K] and C1 = Initial-Encrypt:2[K(t∗)]. It submits both of these to the IO chal-lenger and receives back a program P which it passes to the attacker in step 3. It executes steps 4-8 as inGame 2. If the attacker wins (i.e. b′ = b), then B guesses ‘0’ to indicated that P was and obfuscation of C0;otherwise, it guesses ‘1’ to indicate it was an obfuscation of C1.

We observe that when P is generated as and obfuscation of C0, then B gives exactly the view of Game 2to A. Otherwise if P is chosen as an obfuscation of C1 the view is of Game 2. In addition, the programs arefunctionally equivalent with all but negligible probability. The reason is that t∗ is outside the image of thepseudo random generator with probability at least 1− 2λ. Therefore if AdvA,2 − AdvA,3 is non-negligble, Bmust also have non-negligible advantage against the indisguishability obfuscation game.

Lemma 3. If iO is a secure indistinguishability obfuscator, then for all PPT A we have that AdvA,3 −AdvA,4 = negl(λ) for some negligible function negl.

Proof. To prove this lemma we will consider a hybrid argument. Let Q = Q(λ) be the number of privatekey queries issued by some attacker A. (Without loss of generality we can assume A always makes exactlyQ queries on every execution.) For i ∈ [0, Q] we define Game 3, i to be the same as Game 3 except that thefirst i private key queries of step 7 are handled as in Game 4 and the last Q − i are handled as in Game 3.We observe that Game 3, 0 is the same as Game 3 and that Game 3, Q is the same as Game 4. Thus toprove security we need to establish that no attacker can distinguish between Game 3, i and Game 3, i+ 1 fori ∈ [0, Q− 1] with non negligible advantage.

15

We describe and analyze a PPT reduction algorithm B that plays the indistinguishability obfuscationsecurity game with A. B runs steps 1-6 as in Game 3. For the first i queries of step 7 it answers as in Game 4.For query i+ 1 it creates two circuits as C0 = Key-Eval:1[K, f ] where f is the function queried for. Next,let k′ = PuncturePDE(k∗,m0,m1). Let c′0 = EncryptPDE(k∗,m0) and let c′1 = EncryptPDE(k∗,m1). Then letc0, c1 consist of c′0, c

′1 in lexicographic order. Let df = f(m0) = f(m1), where f is the key queried for. It

creates C1 = Key-Eval:2[K(t∗), t∗, f, c0, c1, df , k′].

It submits both of these to the IO challenger and receives back a program P which it passes to theattacker as Pf . It answers the rest of the queries of step 7 as in Game 3 and completes step 8. If the attackerwins (i.e. b′ = b), then B guesses ‘0’ to indicated that P was and obfuscation of C0; otherwise, it guesses ‘1’to indicate it was an obfuscation of C1.

We observe that when P is generated as and obfuscation of C0, then B gives exactly the view of Game 3, ito A. Otherwise if P is chosen as an obfuscation of C1 the view is of Game 3, i+ 1. In addition, theprograms are functionally equivalent with all but negligible probability. The reason is that correctnessholds for all messages with all but negligible probability. The only difference in the programs is that theresponse is hardwired in for two inputs. Therefore if AdvA,3,i−AdvA,3,i+1 is non-negligble, B must also havenon-negligible advantage against the indisguishability obfuscation game.

Lemma 4. If F is a selectively secure puncturable PRF then for all PPT A we have that AdvA,4−AdvA,5 =negl(λ) for some negligible function negl.

Proof. We describe and analyze a PPT reduction algorithm B that plays the selective puncturable PRFsecurity game. B first runs step 1, then chooses t∗ and submits it back to the punctured PRF challenger.It receives back a punctured key K(t∗) and a challenge value z. It runs steps 3-4 for A as in Game 4. Instep 5 it sets k∗ = z. It then runs step 6-8 as in Game 4. We note that in step 7 the punctured key K(t∗)is sufficient to create the challenge ciphertext and answer all private key queries. If the attacker wins (i.e.b′ = b), then B guesses ‘1’ to indicated that z = F (K, t∗); otherwise, it outputs ‘0’ to that z was chosenrandomly.

We observe that when z is generated as F (K, t∗), then B gives exactly the view of Game 4 to A. Otherwiseif z is chosen randomly, the view is of Game 5. Therefore if AdvA,4 − AdvA,5 is non-negligble, B must alsohave non-negligible advantage against the security of the puncturable PRF.

Lemma 5. If our puncturable deterministic encryption scheme is secure, then for all PPT A we have thatAdvA,5 − AdvA,6 = negl(λ) for some negligible function negl.

Proof. We begin by observing that the difference between Game 5 and Game 6 is that in Game 6 the messageencrypted in step 6 is always m0 and in Game 5 the message could be m0 or m1 depending on b. Whenthe coin flip of b = 0 the views of the two games are identical. So if there is a difference in an attacker’sadvantage in guessing b between Game 5 and Game 6 it must solely concentrated on the condition whereb = 1 from step 1.

We describe and analyze a PPT reduction algorithm B that plays the puncturable deterministic encryp-tion security game. B first executes steps 1-4 of Game 5, with the bit of step 1 being set to b = 1. Then itsubmits messages m0,m1 to the PDE challenger and receives back k′ = PuncturePDE(k∗,m0,m1) and T0, T1.On step 6 it sets c∗ = T0.

In step 7 let c0, c1 consist of T0, T1 in lexicographic order. Here we see the point of demanding lex-icographic ordering on the PDE ciphertexts in previous games as the reduction algorithm here does notknow whether m0 is in T0 or T1. Let df = f(m0) = f(m1), where f is the key queried for. It createsC1 = Key-Eval:2[K(t∗), t∗, f, c0, c1, df , k

′].Finally, if the attacker wins (i.e. b′ = b), then B guesses ‘1’ to indicated that c∗ = T1 was an encryption

of m1; otherwise, it outputs ‘0’ to that c∗ = T1 was an encryption of m0.We observe that when c∗ = T1 is generated as EncryptPDE(k∗,m1) then B gives exactly the view of

Game 5 (conditioned on b = 1 to A. Otherwise if c∗ is generated as EncryptPDE(k∗,m0) the view is of

16

Game 6. Therefore if AdvA,5 − AdvA,6 is non-negligble, B must also have non-negligible advantage againstthe puncturable deterministic encryption system.

Now with all the lemmas in place we can pull our main theorem together. By a simple hybrid argument itfollows that any PPT attacker’s advantage in the original security Game 1 can be at most negligibly greaterthan its advantage in Game 6. However, the advantage of any attacker in Game 6 is 0 since it gives noinformation on the bit b and thus the scheme is secure.

6 An Adaptively Secure Construction

We now describe our construction of a functional encryption (FE) scheme that is adaptively secure. We letthe message space M = {0, 1}`(λ) for some polynomial function ` and the function class be F(λ) = F .

We will use two puncturable PRFs F1, F2 such that when we fix the keys K we have that F1(K, ·) takesin a 2λ bit input and outputs two bit strings of length λ and F2(K, ·) takes λ bits to five bitstrings of lengthλ. In addition, we use a puncturable deterministic encryption scheme where the message space is {0, 1}λ. Inour Puncturable PRF and PDE systems master keys are sampled uniformly at random from {0, 1}λ. Finally,we use an indistinguishability secure obfuscator and an injective length doubling pseudo random generatorPRG : {0, 1}λ → {0, 1}2λ.

Finally, we use a one-bounded secure functional encryption system with master key encryption consistingof algorithms: KeyGenOB,EncryptOB,DecryptOB. We assume without loss of generality that the master keyis chosen uniformly from {0, 1}λ. The message spaceM and key description space f ∈ F of the one boundedscheme is the same as the scheme we are constructing.

Our Construction Our construction achieves an adaptively secure functional encryption by bootstrappingfrom a one-bounded FE scheme that is adaptively secure. At a high level a ciphertext is associated with atag t and a private key with a tag y. From the pair of tags (t, y) one can (with the proper key material)pseudorandomly derive a master secret key k for a one bounded FE system. The ciphertext will be equippedwith an obfuscated program, C, which on input of a key tag y will generate the one bounded key k (associatedwith the pair (t, y)) and then uses this to create an encryption of the message m under the one-boundedscheme with key k. Likewise, the private key for functionality f comes equipped with an obfuscated programPf which on input of a ciphertext tag t derives the one bounded secret key k and uses this to create a one-bounded secret key.

The decryption algorithm will pass the key tag y to the ciphertext program to get a one boundedciphertext CTOB and the ciphertext tag t to the key program to get a one bound key SKOB. Finally, it willapply the one bounded decryption algorithm as DecryptOB(CTOB,SKOB) to learn the message m. The onebounded key and ciphertext are compatible since they are both derived psuedorandomly from the pair (t, y)to get same one-bounded key k. (Note a different pair (t′, y′) 6= (t, y) corresponds to a different one boundedFE key k′ with high probability.)

Our bootstrapping proof structure allows us to develop “selective-ish” techniques at the outer level since inour reductions the ciphertext and private key tags can be chosen randomly ahead of time before the challengemessage or any private key queries are known. Then the challenge of dealing with adaptive security is then“pushed down” to the one bounded FE scheme, where it has been solved in previous work [GVW12].

In the description above we have so far omitted one critical ingredient. In addition to generating a onebounded secret key on input t, the program Pf on input t will also generate an encrypted signal a that ispassed along with the tag y to the ciphertext program C on decryption to let it know that it is “okay” togenerate the one-bounded ciphertext for the pair (t, y). In the actual use of the system, this is the onlyfunctionality of the signal. However, looking ahead to our proof we will change the signal encrypted to tellthe program C to switch the message for which it generates one bounded encryption encryptions of.

17

Setup(1λ)The algorithm first chooses a random punctured PRF key K ← KeyF1

(1λ) which is set as the master secretkey MSK. Next it creates an obfuscation of the program Initial-Encrypt as P ← iO(1λ, Initial-Encrypt:1[K]).8

Encrypt(PP = P (·),m ∈M)The encryption algorithm performs the following steps in sequence.

1. Chooses random r ∈ {0, 1}λ.

2. Sets (t,Kt, α)← P (r).

3. Sets α̃ = PRG(α).

4. Creates the program C ← iO(1λ,CT-Eval:1[Kt, α̃,m]).9

5. The output ciphertext is CT = (t, C).

KeyGen(MSK, f ∈ F(λ))The KeyGen algorithm first chooses a random y ∈ {0, 1}λ. It next produces an obfuscated program Pf byobfuscating Pf ← iO(Key-Signal:1[K, f, y]). 10

The secret key is SK = (y, Pf ).

Decrypt(CT = (t, C),SK = (y, Pf ))The decryption algorithm takes as input a ciphertext CT = (t, C) and a secret key SK = (y, Pf ). It firstcomputes (a,SKOB) = Pf (t). Next it computes CTOB = C(a, y). Finally, it will use the produced secret keyto decrypt the produced ciphertext as DecryptOB(CTOB,SKOB) and outputs the result.

Correctness We briefly sketch a correctness argument. Consider a ciphertext CT = (t, C) created formessage m that is associated with tag t and a key for function f that is associated with tag y. On decryptionthe algorithm first calls (a,SKOB) = Pf (t). Here the obfuscated program computes: (Kt, α) = F1(K, t),(d, k, s1, s2, s3) = F2(Kt, y), and a = EncryptPDE(d, α) and SKOB = KeyGenOB(k, f ; s2).

Next, it calls CTOB = C(a, y), where C was generated as an obfuscation of program CT-Eval:1[Kt, α̃,m]where α̃ = PRG(α). This obfuscated program will compute the same values of (d, k, s1, s2, s3) = F2(Kt, y)as the key signal program. By correctness of the PDE system we will have that DecryptPDE(d, a) = α andthus the program will output EncryptOB(k,m; s1). At this point the decryption algorithm has a one boundedprivate key for function f and a one bounded ciphertext for message m both created under the same masterkey k. Therefore, running the one-bounded decryption algorithm will produce f(m).

Initial-Encrypt:1

Constants: Puncturable PRF key K.Input: Randomness r ∈ {0, 1}λ.

1. Let t = PRG(r).

2. Compute (Kt, α) = F1(K, t).

3. Output: (t,Kt, α).


8The program Initial-Encrypt:1 is padded to be the same size as Initial-Encrypt:2.) This obfuscated program, P servesas the public parameters PP.

9The program CT-Eval:1 is padded to be the same size as the maximum of CT-Eval:2 and CT-Eval:3.10The program Key-Signal:1 is padded to be the same size as Key-Signal:2.

18

CT-Eval:1

Constants: PRF key Kt, α̃ ∈ {0, 1}2λ, message m ∈ M.Input: PDE ciphertext a and value y ∈ {0, 1}λ.

1. Compute (d, k, s1, s2, s3) = F2(Kt, y).

2. Compute e = DecryptPDE(d, a).

3. If PRG(e) = α̃ output EncryptOB(k,m; s1).

4. Else output a rejecting ⊥.

Figure 6: Program CT-Eval:1

Key-Signal:1

Constants: PRF key K, function description f ∈ F , tag y ∈ {0, 1}λ.Input: t ∈ {0, 1}2λ.

1. Compute (Kt, α) = F1(K, t).


3. Compute and output a = EncryptPDE(d, α) and SKOB = KeyGenOB(k, f ; s2).

Figure 7: Program Key-Signal:1

6.1 Proof of Security

Before delving into our formal security proof we will give a brief intuitive overview of its structure andsequence of games steps. In the first steps of our sequence of games proof we will use pseudorandomgenerator security to (indetectably) move t∗ out of the set of tags T that might be generated from theprogram P .11 Then we use use puncturing techniques to remove the key material, K∗t∗ , associated with t∗

from the obfuscated program given in the public parameters. In addition, the proof will hardwire in theresponse of all private keys Pf1 , . . . , PfQ to the input of t∗, where Q is the number of queries issued. Theseactions are covered in moving from Game 1 to Game 5.

In the next grouping of steps we will introduce a second alternative message m0 into the challengeciphertext program C∗ to go along with the message mb for b ∈ {0, 1}. The behavior of the obfuscatedprogram is now (by Game 7) such that if C∗ receives an an “α-signal” as input it will output a one-boundedFE encryption of mb and if it receives a “β-signal” it will output a one-bounded FE encryption of m0.However, the private key programs Pfi are only set to generate α signals. Before this grouping of steps wasexecuted only α-signals existed.

Subsequently, each private key program Pf is transformed one by one such that they are programmed tosend out β-signals upon receiving the tag t∗. When used in decryption this will cause the challenge ciphertextto output one time encryptions of m0 instead of m1. Intuitively, this is undetectable because f(mb) = f(m0)for all private key functions f that can legally be requested. Executing this transformation requires multiplesub steps and is the most complex piece of the proof. It is also where the security one bounded FE schemeis invoked.

Finally, after the above transformations are made we are able to execute two final cleanup steps thatremove the message mb from the ciphertext program C∗. At this point all information about the bit b isremoved from the challenge ciphertext and the advantage of any attacker is 0.

Theorem 4. The above functional encryption scheme is adaptively secure if instantiated with a securepunctured PRF, puncturable deterministic encryption scheme, pseudo random generator, an adaptivelysecure one-bounded functional encryption scheme and indistinguishability secure obfuscator.

To prove the above theorem, we first define a sequence of games where the first game is the original FE

11Note the set T corresponds to the possible outputs of the pseudorandom generator.

19

security game. Then we show (based on the security of different primitives) that any poly-time attacker’sadvantage in each game must be negligibly close to that of the previous game. We begin by with describingGame 1 in detail, which is the adaptive FE security game instantiated with our construction. From there wedescribe the sequence of games, where each game is described by its modification from the previous game.We continue to enumerate each step (in most descriptions) to ease verification of our claims. For an attackalgorithm A we let Q(λ) = Q be a polynomial that bounds the maximum number of private key queriesissued by A.

Game 1 The first game is the original security game instantiated for our construction.

1. Challenger computes keys K ← KeyF1(1λ) and randomly chooses the challenge bit b ∈ {0, 1}.

2. Challenger chooses random r∗ ∈ {0, 1}λ and computes t∗ = PRG(r∗).

3. Challenger computes K∗t∗ , α∗ = F1(K, t∗).

4. Challenger sets α̃∗ = PRG(α∗).


6. Phase 1 Queries: Let fj be the function of associated with the j-th query. Choose random yj ∈ {0, 1}λ.Generate the j-th private key by computing Pfj ← iO(Key-Signal:1[K, fj , yj ]). Output the key as(yj , Pfj ).

7. Attacker gives messages m0,m1 ∈M to challenger.

8. Challenger sets the program C∗ ← iO(1λ,CT-Eval:1[K∗t∗ , α̃∗,mb]).

9. The output ciphertext is CT = (t∗, C∗).

10. Phase 2 Queries: Same as Phase 1 in step 6.


Game 2


2. Challenger chooses random t∗ ∈ {0, 1}2λ.










20

Game 3












Game 4






6. Phase 1 Queries: Let fj be the function of associated with the j-th query.

(a) Choose random yj ∈ {0, 1}λ.

(b) Compute (d∗j , k∗j , s∗1,j , s

∗2,j , s

∗3,j) = F2(Kt∗ , yj).

(c) Compute a∗j = EncryptPDE(d∗j , α∗) and SK∗OB,j = KeyGenOB(k∗j , fj ; s

∗2,j).

(d) Compute Pfj ← iO(Key-Signal:2[K(t∗), t∗, a∗j ,SK∗OB,j , fj , yj ]).

(e) Output the key as (yj , Pfj ).




10. Phase 2 Queries: Same as Phase 1 in step 6. (These are also changed as described above.)


21

Game 5



3. Challenger chooses random K∗t∗ , α∗.






∗2,j , s

∗3,j) = F2(Kt∗ , yj).


∗2,j).








Game 6


2. Challenger chooses random t∗ ∈ {0, 1}2λcomputes computes K(t∗) = PunctureF (K, t∗).


4. Challenger sets α̃∗ = PRG(α∗) and chooses random β̃∗ ∈ {0, 1}2λ.





∗2,j , s

∗3,j) = F2(Kt∗ , yj).


∗2,j).




8. Challenger sets the program C∗ ← iO(1λ,CT-Eval:2[K∗t∗ , α̃∗, β̃∗,mb,m0]).




22

Game 7 Same as Game 6 except we change line 4 to:

4. Challenger sets α̃∗ = PRG(α∗), chooses β∗ ∈ {0, 1}λ at random and sets β̃∗ = PRG(β∗).

Game 8, i




4. Challenger sets α̃∗ = PRG(α∗), chooses β∗ ∈ {0, 1}λ at random and sets β̃∗ = PRG(β∗).





∗2,j , s

∗3,j) = F2(Kt∗ , yj).

(c) If j > i then set a∗j = EncryptPDE(d∗j , α∗); otherwise if j ≤ i set a∗j = EncryptPDE(d∗j , β

∗).Let SK∗OB,j = KeyGenOB(k∗j , fj ; s

∗2,j).








Game 9




4. Challenger chooses α̃∗ ∈ {0, 1}2λ at random, chooses β∗ ∈ {0, 1}λ at random and sets β̃∗ = PRG(β∗).





∗2,j , s

∗3,j) = F2(Kt∗ , yj).

(c) Set a∗j = EncryptPDE(d∗j , β∗). Let SK∗OB,j = KeyGenOB(k∗j , fj ; s

∗2,j).




23





Game 10 Is the same as Game 9 except line 8 is set to:8. Challenger sets the program C∗ ← iO(1λ,CT-Eval:1[K∗t∗ , β̃

∗,m0]).

We observe at this stage the interaction with the challenger is completely independent of b — note themessage m0 is encrypted regardless of b — and thus the attacker’s advantage is 0 in this final game.

Initial-Encrypt:2

Constants: Puncturable PRF key K(t∗).Input: Randomness r.

1. Let t = PRG(r).

2. Compute (Kt, α) = F1(K(t∗), t).

3. Output: (t,Kt, α).


Key-Signal:2

Constants: PRF key K(t∗), t∗, a∗, SK∗OB, function description f , tag y ∈ {0, 1}λ.Input: t ∈ {0, 1}2λ.

1. If t = t∗ output a∗, SK∗OB.

2. Compute (Kt, α) = F1(K(t∗), t).


4. Compute and output a = EncryptPDE(d, α) and SKOB = KeyGenOB(k, f ; s2)

Figure 9: Program Key-Signal:2

CT-Eval:2

Constants: PRF key Kt, α̃, β̃ ∈ {0, 1}2·λ, messages m,mfixed ∈ M.Input: (a, y).




4. If PRG(e) = β̃ output EncryptOB(k,mfixed; s3).



24

6.2 Indistinguishability Proofs Between Games

We now establish via a sequence of lemmas that the difference of the attacker’s advantage between eachadjacent game is neglgible. Most of the lemmas of indistinguishability are straightforward once the hybridgames are laid out. The exception is in proving the indistinguishability of Game 8, i from Game 8, i+ 1. Wehandle this separately in its own subsection.

We let AdvA,i = Pr[b′ = b]− 12 denote the advantage of algorithm A in Game i of guessing the bit b.

Lemma 6. If our pseudo random generator PRG is secure then for all PPTA we have that AdvA,1−AdvA,2 =negl(λ) for some negligible function negl.

Proof. We describe and analyze a PPT reduction algorithm B that plays the pseudo random generatorsecurity game. B first receives a PRG game challenge T ∈ {0, 1}2λ. It then runs the attacker and runs thesecurity game as described in Game 1 with the exception that in step 2 it lets t∗ = T . If the attacker wins(i.e. b′ = b), then B guesses ‘1’ to indicate that T was in the image of PRG(·); otherwise, it outputs ‘0’ tothat T was chosen randomly.

We observe that when T is generated as T = PRG(r), then B gives exactly the view of Game 1 to A.Otherwise if T is chosen randomly the view is of Game 2. Therefore if AdvA,1 − AdvA,2 is non-negligble, Bmust also have non-neglgible advantage against the pseudo random generator.

Lemma 7. If iO is a secure indistinguishability obfuscator then for all PPTA we have that AdvA,2−AdvA,3 =negl(λ) for some negligible function negl.

Proof. We describe and analyze a PPT reduction algorithm B that plays the indistinguishability obfus-cation security game with A. B runs steps 1-4 as in Game 2. Next it creates two circuits as C0 =Initial-Encrypt:1[K] and C1 = Initial-Encrypt:2[K(t∗)]. It submits both of these to the IO chal-lenger and receives back a program P which it passes to the attacker in step 5. It executes steps 6-10 as inGame 2. If the attacker wins (i.e. b′ = b), then B guesses ‘0’ to indicate that P was and obfuscation of C0;otherwise, it guesses ‘1’ to indicate it was an obfuscation of C1.

We observe that when P is generated as and obfuscation of C0, then B gives exactly the view of Game 2to A. Otherwise if P is chosen as an obfuscation of C1 the view is of Game 2. In addition, the programs arefunctionally equivalent with all but negligible probability. The reason is that t∗ is outside the image of thepseudo random generator with probability at least 1− 2λ. Therefore if AdvA,2 − AdvA,3 is non-negligble, Bmust also have non-neglgible advantage against the indisguishability obfuscation game.

Lemma 8. If iO is a secure indistinguishability obfuscator then for all PPTA we have that AdvA,3−AdvA,4 =negl(λ) for some negligible function negl.

Proof. To prove this claim we will consider a hybrid argument. Let Q = Q(λ) be the number of private keyqueries issued by some attacker A. These include both Phase 1 and Phase 2 queries — that is the numberof Phase 1 plus Phase 2 queries sums to Q. For i ∈ [0, Q] we define Game 3, i to be the same as Game 3except that the first i private key queries are handled as in Game 4 and the last Q − i are handled as inGame 3. We observe that Game 3, 0 is the same as Game 3 and that Game 3, Q is the same as Game 4. Thus,to prove security we need to establish that no attacker can distinguish between Game 3, i and Game 3, i+ 1for i ∈ [0, Q− 1] with non negligible advantage.

We describe and analyze a PPT reduction algorithm B that plays the indistinguishability obfuscation se-curity game with A. B runs steps 1-5 as in Game 3. For the first i private key queries it answers as in Game 4.Let f be the function associated with the i+ 1-th key query. For query i+ 1 it will creates two circuits. Thefirst is created as C0 = Key-Signal:1[K, fi+1, yi+1]. Next, it computes (d∗i+1, k

∗i+1, s

∗1,i+1, s

∗2,i+1, s

∗3,i+1) =

F2(Kt∗ , yi+1), a∗i+1 = EncryptPDE(d∗i+1, α∗) and SK∗OB,i+1 = KeyGenOB(k∗i+1, fi+1; s∗2,i+1). Then in creates

the second circuit as C1 = Key-Signal:2[K(t∗), t∗, a∗i+1,SK∗OB,i+1, fi+1, yi+1]).

25

It submits both of these to the IO challenger and receives back a program P which it passes to theattacker as Pf . It answers the rest of the queries of step 6 as in Game 3 and completes steps 7-9 and 11. Ifthe attacker wins (i.e. b′ = b), then B guesses ‘0’ to indicate that P was and obfuscation of C0; otherwise,it guesses ‘1’ to indicate it was an obfuscation of C1.

We observe that when P is generated as and obfuscation of C0, then B gives exactly the view of Game 3, ito A. Otherwise if P is chosen as an obfuscation of C1 the view is of Game 3, i+ 1. In addition, the programsare functionally equivalent with all but negligible probability. The only difference in the programs is thatthe response is hardwired in for one input. Therefore if AdvA,3,i − AdvA,3,i+1 is non-negligble, B must alsohave non-neglgible advantage against the indisguishability obfuscation game.

Lemma 9. If F is a selectively secure puncturable PRF then for all PPT A we have that AdvA,4−AdvA,5 =negl(λ) for some negligible function negl.

Proof. We describe and analyze a PPT reduction algorithm B that plays the selective puncturable PRFsecurity game. B first runs step 1. In step 2 it chooses t∗ and submits it to the punctured PRF challenger.It receives back a punctured key K(t∗) and a challenge value (z1, z2). In step 3 it sets (K∗t∗ , α

∗) = (z1, z2). Itthen runs step 4-10 as in Game 4. We note that in steps 5 and 6 that the punctured key K1(t∗) is sufficient tocreate all programs. If the attacker wins (i.e. b′ = b), then B guesses ‘1’ to indicate that (z1, z2) = F (K, t∗);otherwise, it outputs ‘0’ to that (z1, z2) was chosen randomly.

We observe that when (z1, z2) is generated as F (K, t∗), then B gives exactly the view of Game 4 to A.Otherwise if z is chosen randomly the view is of Game 4′. Therefore if AdvA,4 − AdvA,5 is non-negligble, Bmust also have non-neglgible advantage against the security of the puncturable PRF.

Lemma 10. If iO is a secure indistinguishability obfuscator then for all PPT A we have that AdvA,5 −AdvA,6 = negl(λ) for some negligible function negl.

Proof. We describe and analyze a PPT reduction algorithm B that plays the indistinguishability obfus-cation security game with A. B runs steps 1-7 as in Game 6. Next it creates two circuits as C0 =CT-Eval:1[K∗t∗ , α̃

∗,mb] and C1 = CT-Eval:2[K∗t∗ , α̃∗, β̃∗,mb,m0]. In step 8 it submits both of these

to the IO challenger and receives back a program P which it passes to the attacker in step 9 as C∗. Itexecutes steps 9-11 as in Game 6. If the attacker wins (i.e. b′ = b), then B guesses ‘0’ to indicate that P wasand obfuscation of C0; otherwise, it guesses ‘1’ to indicate it was an obfuscation of C1.

We observe that when P is generated as and obfuscation of C0, then B gives exactly the view of Game 5to A. (Note that simply choosing β̃∗ and doing nothing with it is equivalent to Game 5 from the attacker’sview.) Otherwise if P is chosen as an obfuscation of C1 the view is of Game 6. In addition, the programs arefunctionally equivalent with all but negligible probability. The reason is that β̃∗ is outside the image of thepseudo random generator with probability at least 1 − 2λ. And in this case the CT-Eval:2 program willbehave the same as the CT-Eval:1 program since it only adds a dead branch. Therefore if AdvA,5−AdvA,6is non-negligble, B must also have non-neglgible advantage against the indisguishability obfuscation game.

Lemma 11. If our pseudo random generator PRG is secure, then for all PPT A we have that AdvA,6 −AdvA,7 = negl(λ) for some negligible function negl.

Proof. We describe and analyze a PPT reduction algorithm B that plays the pseudo random generatorsecurity game. B first receives a PRG game challenge T ∈ {0, 1}2λ. It then runs the attacker and runs thesecurity game as described in Game 6 with the exception that in step 4 it lets β̃∗ = T . If the attacker wins(i.e. b′ = b), then B guesses ‘1’ to indicate that T was in the image of PRG(); otherwise, it outputs ‘0’ tothat T was chosen randomly.

We observe that when T is generated as T = PRG(r), then B gives exactly the view of Game 6 to A.Otherwise if T is chosen randomly the view is of Game 7. Therefore if AdvA,6 − AdvA,7 is non-negligble, Bmust also have non-neglgible advantage against the pseudo random generator.

26

We next observe that Game 7 is identical to Game 8, 0. We also skip over the lemma dealing with Game 8, ito Game 8, I + 1 and defer it to the next subsection.

Lemma 12. If our pseudo random generator PRG is secure, then for all PPT A we have that AdvA,(8,Q(λ))−AdvA,9 = negl(λ) for some negligible function negl.

Proof. We describe and analyze a PPT reduction algorithm B that plays the pseudo random generatorsecurity game. B first receives a PRG game challenge T ∈ {0, 1}2λ. It then runs the attacker and runs thesecurity game as described in Game 8, Q with the exception that in step 4 it lets α̃∗ = T . We emphasizethat in Game 8, Q anon of the a∗j encrypt α. If the attacker wins (i.e. b′ = b), then B guesses ‘1’ to indicatethat T was in the image of PRG(); otherwise, it outputs ‘0’ to that T was chosen randomly.

We observe that when T is generated as T = PRG(r), then B gives exactly the view of Game 8, Q to A.(We note that step 6b is already the same between these two games.) Otherwise if T is chosen randomly theview is of Game 9. Therefore if AdvA,8,Q−AdvA,9 is non-negligble, B must also have non-neglgible advantageagainst the pseudo random generator.

Claim 1. If iO is a secure indistinguishability obfuscator, then for all PPTA we have that AdvA,9−AdvA,10 =negl(λ) for some negligible function negl.

Proof. We describe and analyze a PPT reduction algorithm B that plays the indistinguishability obfus-cation security game with A. B runs steps 1-7 as in Game 9. Next it creates two circuits as C0 =CT-Eval:2[K∗t∗ , α̃

∗, β̃∗,mb,m0] and and C1 = CT-Eval:1[K∗t∗ , β̃∗,m0]. It submits both of these to the

IO challenger and receives back a program P which it passes to the attacker in step 9 as C∗. It executessteps 9-11 as in Game 9. If the attacker wins (i.e. b′ = b), then B guesses ‘0’ to indicate that P was andobfuscation of C0; otherwise, it guesses ‘1’ to indicate it was an obfuscation of C1.

We observe that when P is generated as and obfuscation of C0, then B gives exactly the view of Game 9to A. Otherwise if P is chosen as an obfuscation of C1 the view is of Game 10. In addition, the programsare functionally equivalent with all but negligible probability. The reason is that α̃∗ is outside the image ofthe pseudo random generator with probability at least 1 − 2λ. And in this case the CT-Eval:1 programwill behave the same as the CT-Eval:2 program since it only subtracts a dead branch. Therefore ifAdvA,9 − AdvA,10 is non-negligble, B must also have non-neglgible advantage against the indisguishabilityobfuscation game.

6.3 Proving Indistinguishability of Game 8, i and Game 8, i+ 1

We now show how to move from Game 8, i and Game 8, i+ 1, which informally changes key i + 1 fromgenerating an α-signal to a β-signal for the challenge ciphertext. (It continues to generate only α-signals forall other ciphertexts.) Here we provide some intuition about this section of the proof. Initially, going into theproof, the challenge ciphertext program C∗ will produce a one bounded FE encryption of mb if it receives anα-signal from key i (during decryption) and it will produce a one bounded FE encryption of m0 if it receivesa β-signal. The first grouping of steps will change things such that C∗ produces a one bounded encryptionof m0 (for the i-th tag yi) on either an α-signal or β-signal. During this sequence of games the securityof the 1-bounded FE scheme is invoked. (This is done by Game 8, i, C.) At this point the α and β-signalsgenerate the same behavior and we can then flip which one is output by the private key in Game 8, i,D.After this change is performed, the rest of the steps are essentially “cleanup” steps that reverse the earliertransformations.

Lemma 13. If iO is a secure indistinguishability obfuscator and our puncturable deterministic encryptionscheme is secure, then for all PPT A and for all i ∈ [0, Q(λ) − 1] we have that AdvA,(8,i) − AdvA,(8,i+1) =negl(λ) for some negligible function negl.

27

Proof. The proof of this claim is significantly more complicated than the others and will require the definitionof some more hybrid games. We show these as modifications to lines 6-10 of the security game.

Game 8, i, A Same as Game 8, i with the following modifications.




∗2,j , s

∗3,j) = F2(Kt∗ , yj).


∗).

(d) Let SK∗OB,j = KeyGenOB(k∗j , fj ; s∗2,j).

(e) Compute Pfj ← iO(Key-Signal:2[K(t∗), t∗, a∗j ,SK∗OB,j , fj , yj ]).

(f) Output the key as (yj , Pfj ).


8. (a) Let c′0 = EncryptPDE(d∗i+1, α∗), c′1 = EncryptPDE(d∗i+1, β

∗), CT′OB,0 = EncryptOB(k∗i+1,mb; s∗1,i+1)

and CT′OB,1 = EncryptOB(k∗i+1,m0; s∗3,i+1). If c′0 < c′1 (lexicographically) then set c0 = c′0, c1 = c′1,

CTOB,0 = CT′OB,0,CTOB,1 = CT′OB,1. Else set c0 = c′1, c1 = c′0,CTOB,0 = CT′OB,1,CTOB,1 = CT′OB,0.

(b) Sample K∗t∗(yi+1) as PunctureF (K∗t∗ , yi+1).

(c) Challenger creates C∗ ← iO(1λ,CT-Eval:3[K∗t∗(yi+1), α̃∗, β̃∗,mb,m0, y∗, c0, c1,CTOB,0,CTOB,1]).



Remark 4. We remark that the lexicographic ordering is so that the ordering of the hardwired signals andthe corresponding one bounded ciphertexts. 12 This is so that we don’t have an situation where say testingof α signals always happens first. This property will be important later for arguing security from Game 8, i, Cto Game 8, i,D.

Game 8, i, B Same as Game 8, i, A with the following modifications.



(b) If j = i+ 1 then choose (d∗j , k∗j , s∗1,j , s

∗2,j , s

∗3,j) uniformly at random.

Else compute (d∗j , k∗j , s∗1,j , s

∗2,j , s

∗3,j) = F2(Kt∗ , yj).


∗).





12Another alternative would be to put the ciphertexts in random order (as we did in an earlier version of this work).

28




CTOB,0 = CT′OB,0,CTOB,1 = CT′OB,1. Else set c0 = c′1, c1 = c′0,CTOB,0 = CT′OB,1,CTOB,1 =

CT′OB,0.





Game 8, i, C Same as Game 8, i, B with the following modifications.




∗2,j , s



∗2,j , s

∗3,j) = F2(Kt∗ , yj).


∗).






∗), CT′OB,0 = EncryptOB(k∗i+1,m0; s∗1,i+1)



CT′OB,0.





Game 8, i,D Same as Game 8, i, C with the following modifications.




∗2,j , s



∗2,j , s

∗3,j) = F2(Kt∗ , yj).

(c) If j > i+ 1 then set a∗j = EncryptPDE(d∗j , α∗); otherwise if j ≤ i+ 1 set a∗j = EncryptPDE(d∗j , β

∗).





29


∗), CT′OB,0 = EncryptOB(k∗i+1,m0; s∗1,i+1)



CT′OB,0.





Now that the signal has been changed we reverse out of the modifications we have been making.

Game 8, i, E Same as Game 8, i,D with the following modifications.




∗2,j , s



∗2,j , s

∗3,j) = F2(Kt∗ , yj).


∗).









CT′OB,0.





Game 8, i, F Same as Game 8, i, E with the following modifications.




∗2,j , s

∗3,j) = F2(Kt∗ , yj).


∗).





30





CT′OB,0.





Game 8, i, G Same as Game 8, i, F with the following modifications.




∗2,j , s

∗3,j) = F2(Kt∗ , yj).


∗).








We conclude by observing that Game 8, i, G is identical to Game 8, i+ 1. We now give our indistinguisha-bility claims.

CT-Eval:3

Constants: PRF key Kt(y∗), α̃, β̃ ∈ {0, 1}2·λ, messages m,mfixed ∈ M, y∗, c0, c1, CTOB,0, CTOB,1. a

Input: PDE ciphertext a and y ∈ {0, 1}λ.

1. If y = y∗ AND (a = c0) output CTOB,0.

2. If y = y∗ AND (a = c1) output CTOB,1.

3. If y = y∗ AND (a 6= c0, c1) then output a rejecting ⊥.

4. Else if y 6= y∗ Compute (d, k, s1, s2, s3) = F2(Kt(y∗), y).



7. If PRG(e) = β̃ output EncryptOB(k,mfixed; s3).


aWe note that the naming of constants are local to this program description. In particular, the terms y∗ and mfixed

are not used elsewhere in the system.


31

Game 8, i to Game 8, i, A

Claim 2. If iO is a secure indistinguishability obfuscator, then for all PPT A we have that AdvA,8,i −AdvA,8,i,A = negl(λ) for some negligible function negl.

We describe and analyze a PPT reduction algorithm B that plays the indistinguishability obfusca-tion security game with A. B runs steps 1-7 as in Game 8, i, A. Next it creates two circuits as C0 =CT-Eval:2[K∗t∗ , α̃

∗, β̃∗,mb,m0] and and C1 = CT-Eval:3[K∗t∗(yi+1), α̃∗, β̃∗,mb,m0, y∗, c0, c1,CTOB,0,CTOB,1].

It submits both of these to the IO challenger and receives back a program P which it passes to the attackerin step 9 as C∗. It turns steps 9-11 as in Game 8, i, A. If the attacker wins (i.e. b′ = b), then B guesses ‘0’ toindicate that P was and obfuscation of C0; otherwise, it guesses ‘1’ to indicate it was an obfuscation of C1.

We observe that when P is generated as and obfuscation of C0, then B gives exactly the view of Game 8, ito A. Otherwise if P is chosen as an obfuscation of C1 the view is of Game 8, i, A. In addition, the programsare functionally equivalent. The reason is that the programs have the same behavior except for the differencethat the CT-Eval:3 program has the CT-Eval:2 program’s behavior hardwired in a two points and usesa punctured key at another place. The hardwiring is only needed for two points since the PDE system isdeterministic and the PRG is injective. Therefore if AdvA,8,i−AdvA,8,i,A is non-negligble, B must also havenon-negligible advantage against the indisguishability obfuscation game.

Game 8, i, A to Game 8, i, B

Claim 3. If F is a selectively secure puncturable PRF then for all PPT A we have that AdvA,8,i,A −AdvA,8,i,B = negl(λ) for some negligible function negl.

Proof. We describe and analyze a PPT reduction algorithm B that plays the selective puncturable PRFsecurity game. B begins by choosing yi+1 ∈ {0, 1}λ at step 3. It then submits this to the punctured PRFchallenger for function F2. It receives back a punctured key K∗t∗(yi+1) and a challenge value z ∈ {0, 1}5λ.It runs steps 2 onward for A as in Game 8, i. When making private key i + 1 (in either Phase 1 or 2) thechallenger sets (d∗j , k

∗j , s∗1,j , s

∗2,j , s

∗3,j) = z. All other steps are simulated by the reduction with the exception

that we abort if yj = yi+1 for j 6= i + 1. This abort condition occurs with negligible probability so we canignore it. We emphasize that in step 8, the CT-Eval:3 program is parameterized by the punctured keyK∗t∗(yi+1). If the attacker wins (i.e. b′ = b), then B guesses ‘1’ to indicated that z = F (K, t∗); otherwise, itoutputs ‘0’ to that z was chosen randomly.

We observe that when z is generated as F (K, t∗), B gives exactly the view of Game 8, i, A to A. Otherwiseif z is chosen randomly the view is of Game 8, i, B. Therefore if AdvA,8,i,A − AdvA,8,i,B is non-negligible, Bmust also have non-negligible advantage against the security of the puncturable PRF.

Game 8, i, B to Game 8, i, C

Claim 4. If (KeyGenOB,EncryptOB,DecryptOB) is an adaptively secure 1-bounded functional encryptionsystem with master key encryption, then then for all PPT A we have that AdvA,8,i,B −AdvA,8,i,C = negl(λ)for some negligible function negl.

Proof. We describe and analyze a PPT reduction algorithm B that plays the 1-bounded functional encryptionsecurity game. We begin by noting that an attacker can only have a non-zero difference in advantage betweenthe two games when the bit b = 1. Otherwise, they appear identical. So we condition the reduction on settingthe bit b = 1.

Suppose that the i + 1-th query is in Phase 1. The reduction algorithm runs the experiment throughstep 5. For step 6 it creates all secret keys itself except for the i + 1 key. For this the reduction algorithmqueries the FE challenger with fi+1 and receives back SK∗OB,i+1.

We now move to step in creating the challenge ciphertext in step 8a. First we let c′0 = EncryptPDE(d∗i+1, α∗),

c′1 = EncryptPDE(d∗i+1, β∗), CT′OB,0 = EncryptOB(k∗i+1,mb; s

∗1,i+1). (Here d∗i+1 is chosen randomly by the re-

duction.)

32

Next, it queries the 1-bounded FE scheme’s encryption oracle for an encryption of m0 and set this tobe CT′OB,0. Then, it submits (m0,m1) to the FE challenger and receives back the one bounded challenge

ciphertext and sets CT′OB,1 to be this value.Finally, we put everything in lexicographic order (as usual) before making the program. If c′0 < c′1

(lexicographically) then set c0 = c′0, c1 = c′1, CTOB,0 = CT′OB,0,CTOB,1 = CT′OB,1. Else set c0 = c′1, c1 =

c′0,CTOB,0 = CT′OB,1,CTOB,1 = CT′OB,0. The reduction algorithm then runs the rest of the experimentstarting at step 8, b itself.

The reduction algorithm then runs the rest of the experiment itself.If the attacker wins (i.e. b′ = b), then B guesses ‘1’ to indicated that the challenge ciphertext was an

encryption of m1; otherwise, it outputs ‘0’ to indicate that m0 was encrypted. (Recall again, we conditionthe proof step on b = 1).

In the case that the i + 1-th query was in Phase 2, the reduction is the same except that the challengeciphertext is queried before the key. Either order is okay since the 1-bounded scheme is assumed to beadaptively secure. We emphasize that our reduction only makes a single key query.

We observe that when the challenge ciphertext encrypts m1, then B gives exactly the view of Game 8, i, Bto A (conditioned on b = 1). Otherwise if m0 were encrypted, then the view is of Game 8, i, C. Thereforeif AdvA,8,i,B −AdvA,8,i,C is non-negligble, B must also have non-negligible advantage against the security ofthe 1-bounded FE scheme.

Game 8, i, C to Game 8, i,D

Claim 5. If our puncturable deterministic encryption scheme is secure then for all PPT A we have thatAdvA,8,C − AdvA,8,D = negl(λ) for some negligible function negl.

Proof. We describe and analyze a PPT reduction algorithm B that plays the puncturable deterministicencryption (PDE) security game. We describe the reduction assuming that key query i + 1 is in Phase 1while noting that the Phase 2 proof proceeds in almost the same manner.B first executes steps 1-5 as in Game 8, C as well as answer key queries j for all j 6= i+1. Then it submits

messages (α∗, β∗) to the PDE challenger and receives back (T0, T1). Depending on the coin flip b̃ of the PDEchallenger either T0 is a PDE encryption of α∗ and T1 an encryption of β∗. Or the other way around.

In step 6 it sets a∗i+1 = T0. If b̃ (of the PDE challenger) is 0, then this is an encryption of α∗ and we are

in Game 8, i, C or if b̃ = 1 it is an encryption of β∗ and we are in Game 8, i,D.It then runs until step 8, where it sets c′0 = T0 and c′1 = T1. Then it generates CTOB,0 and CTOB,1 each

as fresh encryptions of m0. Finally, we put everything in lexicographic order (as usual) before making theprogram. If c′0 < c′1 (lexicographically) then set c0 = c′0, c1 = c′1, CTOB,0 = CT′OB,0,CTOB,1 = CT′OB,1. Else

set c0 = c′1, c1 = c′0,CTOB,0 = CT′OB,1,CTOB,1 = CT′OB,0.We make two important observations. The first is that this is the point where it is important that the

PDE signals are lexicographically ordered as inputs to constructing the program C∗. If instead say theencryption of signal α∗ had to go first, then this reduction could be stuck in step 8 since it does not knowwhether T0 or T1 is a PDE encryption of α∗. In addition, the security proof also works at this step becauseat this point both CTOB,0 and CTOB,1 are 1 bounded FE encryptions of the same message m0 so there isno need to “match” them to the right signal.

The reduction algorithm simulates the rest of the game. If the attacker wins (i.e. b′ = b), then B guesses‘0’ to indicated that c∗ was an encryption of α∗; otherwise, it outputs ‘1’ to that c∗ was an encryption of β∗.

When T0 is generated as EncryptPDE(k∗, α∗) then B gives exactly the view of Game 8, C. Otherwisewhen T0 is generated as EncryptPDE(k∗, β∗) the view is of Game 8, D. Therefore if AdvA,8,C − AdvA,8,D isnon-negligble, B must also have non-negligible advantage against the puncturable deterministic encryptionsystem.

33

Game 8, i,D to Game 8, i, E

Claim 6. If (KeyGenOB,EncryptOB,DecryptOB) is an adaptively secure 1-bounded functional encryptionsystem with master key encryption, then then for all PPT A we have that AdvA,8,i,D −AdvA,8,i,E = negl(λ)for some negligible function negl.

The proof of this claim is analogous to that of Claim 4.

Game 8, i, E to Game 8, i, F

Claim 7. If F is a selectively secure puncturable PRF then for all PPT A we have that AdvA,8,i,E −AdvA,8,i,F = negl(λ) for some negligible function negl.


Game 8, i, F to Game 8, i, G

Claim 8. If iO is a secure indistinguishability obfuscator, then for all PPT A we have that AdvA,8,i,F −AdvA,8,i,G = negl(λ) for some negligible function negl.


To wrap things up we observe that Lemma 13 follows from a hybrid argument using the claims above.Finally, our main security Theorem 4 follows via hybrid argument from the established lemmas.

7 Using Non-Injective Pseudo Random Generators

Our adaptive construction required the use of an injective pseudo random generator. In this section weinformally sketch how to modify our construction to handle non-injective PRGs. We describe the modificationin two main steps.

We first observe that if PRG is non-injective then there could be multiple pre-images to α̃∗ and β̃∗ inaddition to α∗ and β∗. Therefore we would need to adjust program CT-Eval:3 so that when y = y∗ AND(a 6= c0, c1) it attempts to decrypt a as opposed to simply outputting ⊥. This can be securely accomplishedby giving the program the punctured PDE key d(α∗, β∗), which can be used to decrypt all ciphertexts exceptc0 and c1.

The above modification will allow all lemmas and claims of the existing proof to go through except forthe claim of indistinguishability of Game 8, i, C and Game 8, i,D. The problem with this game is that all“α̃∗ ciphertexts” are the same since they are encrypted with the same randomness s∗1,i+1. A similar problem

occurs with the “β̃∗ ciphertexts”.A solution is to modify the scheme such that the randomness for creating the one-bounded ciphertexts

does not come directly out of F2 in the CT-Eval programs. Instead, F2 could output a master key of yetanother puncturable PRF F3. This puncturable PRF would then take in a PDE ciphertext and output therandomness used for a creating a one-bounded ciphertext. The proof would need to be adjusted with anadditional puncturable PRF step.

We emphasize that the above argument is informal intuition why we believe the system can be adjustedto handle non-injective PRGs and we do not make any formal claims of such. We choose to pursue usinginjective PRGs in our formal construction and proof to help avoid additional complexity in our exposition.

References

[ABG+13] Prabhanjan Ananth, Dan Boneh, Sanjam Garg, Amit Sahai, and Mark Zhandry. Differing-inputs obfuscation and applications. Cryptology ePrint Archive, Report 2013/689, 2013. http://eprint.iacr.org/.

34

[ABSV14] Prabhanjan Ananth, Zvika Brakerski, Gil Segev, and Vinod Vaikuntanathan. The trojan methodin functional encryption: From selective to adaptive security, generically. Cryptology ePrintArchive, Report 2014/917, 2014. http://eprint.iacr.org/.

[BCOP04] Dan Boneh, Giovanni Di Crescenzo, Rafail Ostrovsky, and Giuseppe Persiano. Public keyencryption with keyword search. In EUROCRYPT, pages 506–522, 2004.

[BCP14] Elette Boyle, Kai-Min Chung, and Rafael Pass. On extractability obfuscation. In TCC, pages52–73, 2014.

[BFO08] Alexandra Boldyreva, Serge Fehr, and Adam O’Neill. On notions of security for deterministicencryption, and efficient constructions without random oracles. In CRYPTO, pages 335–359,2008.

[BFOR08] Mihir Bellare, Marc Fischlin, Adam O’Neill, and Thomas Ristenpart. Deterministic encryption:Definitional equivalences and constructions without random oracles. In CRYPTO, pages 360–378, 2008.

[BGI+12] Boaz Barak, Oded Goldreich, Russell Impagliazzo, Steven Rudich, Amit Sahai, Salil P. Vadhan,and Ke Yang. On the (im)possibility of obfuscating programs. J. ACM, 59(2):6, 2012.

[BGI13] Elette Boyle, Shafi Goldwasser, and Ioana Ivan. Functional signatures and pseudorandom func-tions. IACR Cryptology ePrint Archive, 2013:401, 2013.

[BS14] Zvika Brakerski and Gil Segev. Function-private functional encryption in the private-key setting.Cryptology ePrint Archive, Report 2014/550, 2014. http://eprint.iacr.org/.

[BSW11] Dan Boneh, Amit Sahai, and Brent Waters. Functional encryption: definitions and challenges.In Proceedings of the 8th conference on Theory of cryptography, TCC’11, pages 253–273, Berlin,Heidelberg, 2011. Springer-Verlag.

[BW07] Dan Boneh and Brent Waters. Conjunctive, subset, and range queries on encrypted data. InProceedings of the 4th conference on Theory of cryptography, TCC’07, pages 535–554, Berlin,Heidelberg, 2007. Springer-Verlag.

[BW13] Dan Boneh and Brent Waters. Constrained pseudorandom functions and their applications.IACR Cryptology ePrint Archive, 2013:352, 2013.

[BWZ14] Dan Boneh, David J. Wu, and Joe Zimmerman. Immunizing multilinear maps against zeroizingattacks. Cryptology ePrint Archive, Report 2014/930, 2014. http://eprint.iacr.org/.

[CHL+14] Jung Hee Cheon, Kyoohyung Han, Changmin Lee, Hansol Ryu, and Damien Stehle. Crypt-analysis of the multilinear map over the integers. Cryptology ePrint Archive, Report 2014/906,2014. http://eprint.iacr.org/.

[CJO+13] Angelo De Caro, Vincenzo Iovino Abhishek Jain, Adam O’Neill, Omer Paneth, and GiuseppePersiano. On the achievability of simulation-based security for functional encryption. InCRYPTO, 2013.

[CLT14] Jean-Sebastien Coron, Tancrede Lepoint, and Mehdi Tibouchi. Cryptanalysis of two candidatefixes of multilinear maps over the integers. Cryptology ePrint Archive, Report 2014/975, 2014.http://eprint.iacr.org/.

[CW14] Jie Chen and Hoeteck Wee. Semi-adaptive attribute-based encryption and improved delegationfor boolean formula. SCN (To appear), 2014. http://eprint.iacr.org/.

35

[GGH+13] Sanjam Garg, Craig Gentry, Shai Halevi, Mariana Raykova, Amit Sahai, and Brent Waters.Candidate indistinguishability obfuscation and functional encryption for all circuits. In FOCS,2013.

[GGHW14] Sanjam Garg, Craig Gentry, Shai Halevi, and Daniel Wichs. On the implausibility of differing-inputs obfuscation and extractable witness encryption with auxiliary input. In CRYPTO, pages518–535, 2014.

[GGHZ14a] Sanjam Garg, Craig Gentry, Shai Halevi, and Mark Zhandry. Fully secure attribute basedencryption from multilinear maps. Cryptology ePrint Archive, Report 2014/622, 2014. http:

//eprint.iacr.org/.

[GGHZ14b] Sanjam Garg, Craig Gentry, Shai Halevi, and Mark Zhandry. Fully secure functional encryptionwithout obfuscation. Cryptology ePrint Archive, Report 2014/666, 2014. http://eprint.iacr.org/.

[GGM84] Oded Goldreich, Shafi Goldwasser, and Silvio Micali. How to construct random functions(extended abstract). In FOCS, pages 464–479, 1984.

[GHMS14] Craig Gentry, Shai Halevi, Hemanta K. Maji, and Amit Sahai. Zeroizing without zeroes:Cryptanalyzing multilinear maps without encodings of zero. Cryptology ePrint Archive, Report2014/929, 2014. http://eprint.iacr.org/.

[GVW12] Sergey Gorbunov, Vinod Vaikuntanathan, and Hoeteck Wee. Functional encryption withbounded collusions via multi-party computation. In CRYPTO, 2012.

[KPTZ13] Aggelos Kiayias, Stavros Papadopoulos, Nikos Triandopoulos, and Thomas Zacharias. Dele-gatable pseudorandom functions and applications. IACR Cryptology ePrint Archive, 2013:379,2013.

[KSW08] Jonathan Katz, Amit Sahai, and Brent Waters. Predicate encryption supporting disjunctions,polynomial equations, and inner products. In Proceedings of the theory and applications ofcryptographic techniques 27th annual international conference on Advances in cryptology, EU-ROCRYPT’08, 2008.

[KSW14] Dakshita Khurana, Amit Sahai, and Brent Waters. How to generate and use universal param-eters. Cryptology ePrint Archive, Report 2014/507, 2014. http://eprint.iacr.org/.

[O’N10] Adam O’Neill. Definitional issues in functional encryption. Cryptology ePrint Archive, Report2010/556, 2010.

[SS10] Amit Sahai and Hakan Seyalioglu. Worry-free encryption: functional encryption with publickeys. In Proceedings of the 17th ACM conference on Computer and communications security,CCS ’10, pages 463–472, New York, NY, USA, 2010. ACM.

[SW05] Amit Sahai and Brent Waters. Fuzzy identity-based encryption. In EUROCRYPT, pages 457–473, 2005.

[SW08] Amit Sahai and Brent Waters. Slides on functional encryption. PowerPoint presentation, 2008.http://www.cs.utexas.edu/~bwaters/presentations/files/functional.ppt.

[SW14] Amit Sahai and Brent Waters. How to use indistinguishability obfuscation: deniable encryption,and more. In STOC, pages 475–484, 2014.

[Yao82] Andrew Chi-Chih Yao. Theory and applications of trapdoor functions (extended abstract).In 23rd Annual Symposium on Foundations of Computer Science, Chicago, Illinois, USA, 3-5November 1982, pages 80–91, 1982.

36

a punctured programming approach to adaptively … · a punctured programming approach to...

Documents